Configure security in Kibana
Self Managed
When you start Elasticsearch for the first time, Elastic Stack security features are enabled on your cluster and TLS is configured automatically. The security configuration process generates a password for the elastic
user and an enrollment token for Kibana. Start the Elastic Stack with security enabled and then enroll Kibana as part of the configuration process.
You can then log in to Kibana as the elastic
user to create additional roles and users.
When a user is not authorized to view data in an index (such as an Elasticsearch index), the entire index will be inaccessible and not display in Kibana.
Set an encryption key so that sessions are not invalidated. You can optionally configure additional security settings and authentication.
Set the
xpack.security.encryptionKey
property in thekibana.yml
configuration file. You can use any text string that is 32 characters or longer as the encryption key. Refer toxpack.security.encryptionKey
.xpack.security.encryptionKey: "something_at_least_32_characters"
Kibana's reporting and saved objects features also have encryption key settings. Refer to
xpack.reporting.encryptionKey
andxpack.encryptedSavedObjects.encryptionKey
respectively.Optional: Configure Kibana to authenticate to Elasticsearch with a client certificate.
Restart Kibana.
Configure roles for your Kibana users to control what data those users can access.
Temporarily log in to Kibana using the built-in
elastic
superuser so you can create new users and assign roles. If you are running Kibana locally, go tohttps://localhost:5601
to view the login page.NoteThe password for the built-in
elastic
user is generated as part of the security configuration process on Elasticsearch. If you need to reset the password for theelastic
user or other built-in users, run theelasticsearch-reset-password
tool.Create roles and users to grant access to Kibana.
To manage privileges in Kibana, go to the Roles management page using the navigation menu or the global search field. The built-in
kibana_admin
role will grant access to Kibana with administrator privileges. Alternatively, you can create additional roles that grant limited access to Kibana.If you’re using the default native realm with Basic Authentication, go to the Users management page using the navigation menu or the global search field to create users and assign roles, or use the Elasticsearch user management APIs. For example, the following creates a user named
jacknich
and assigns it thekibana_admin
role:POST /_security/user/jacknich
{ "password" : "t0pS3cr3t", "roles" : [ "kibana_admin" ] }
TipFor more information on Basic Authentication and additional methods of authenticating Kibana users, see Authentication.
Grant users access to the indices that they will be working with in Kibana.
TipYou can define as many different roles for your Kibana users as you need.
For example, create roles that have
read
andview_index_metadata
privileges on specific data views. For more information, see User authorization.Log out of Kibana and verify that you can log in as a normal user. If you are running Kibana locally, go to
https://localhost:5601
and enter the credentials for a user you’ve assigned a Kibana user role. For example, you could log in as the userjacknich
.NoteThis must be a user who has been assigned Kibana privileges. Kibana server credentials (the built-in
kibana_system
user) should only be used internally by the Kibana server.
To secure your Kibana installation in production, consider these high-priority topics to ensure that only authorized users can access Kibana.
You should use SSL/TLS encryption to ensure that traffic between browsers and the Kibana server cannot be viewed or tampered with by third parties. See encrypt HTTP client communications for Kibana.
Refer to Secure HTTP communications > Mutual TLS between Kibana and Elasticsearch for information on how to enable mutual TLS between Kibana and Elasticsearch.
You can use Elastic Stack security features to control what Elasticsearch data users can access through Kibana.
When security features are enabled, Kibana users have to log in. They must have a role granting Kibana privileges and access to the indices that they will be working with in Kibana.
If a user loads a Kibana dashboard that accesses data in an index that they are not authorized to view, they get an error that indicates the index does not exist.
For more information on granting access to Kibana, see Kibana privileges.
The Kibana server can instruct browsers to enable additional security controls using HTTP headers.
Enable HTTP Strict-Transport-Security.
Use
strictTransportSecurity
to ensure that browsers will only attempt to access Kibana with SSL/TLS encryption. This is designed to prevent manipulator-in-the-middle attacks. To configure this with a lifetime of one year in yourkibana.yml
:server.securityResponseHeaders.strictTransportSecurity: "max-age=31536000"
WarningThis header will block unencrypted connections for the entire domain. If you host more than one web application on the same domain using different ports or paths, all of them will be affected.
Disable embedding.
Use
disableEmbedding
to ensure that Kibana cannot be embedded in other websites. To configure this in yourkibana.yml
:server.securityResponseHeaders.disableEmbedding: true
Kibana uses a Content Security Policy (CSP) to prevent the browser from allowing unsafe scripting, but older browsers will silently ignore this policy. If your organization does not need to support very old versions of our supported browsers, we recommend that you enable Kibana's strict
mode for the CSP. This will block access to Kibana for any browser that does not enforce even a rudimentary set of CSP protections.
To do this, set csp.strict
to true
in your kibana.yml
:
csp.strict: true